Securing Authentication Credentials
This documentation needs review. See "Help improve this page" in the sidebar.
Recommendations
Authentication credentials (such as API keys) should not be stored unencrypted in the Drupal database or file system. They should not be committed to a code repository or stored in files under version control.
Credentials should be encrypted before they are stored and decrypted only when needed. Ideally, the chain of trust extends from the storage location to the usage site, and secrets can not be viewed in any other way.
Methods for Storing API Credentials
- Use environment variables
- Add settings.php value from external file
- Use contributed modules for key management
Use Environment Variables
Secrets can be stored in environment variables ("Hide Your Keys, Hide Your Access" by April Sides). However, any code can inspect environment variables so this is not the most secure option. In the start of her blog post, April suggests "[i]f your access credentials are protecting highly sensitive data, you may want to consider subscribing to an encrypted key management provider."
If using environment variables, be aware that the information can be viewed by executing the PHP function phpinfo(). This can be disabled by adding the following to the php.ini.
disable_functions = phpinfo
Or by adding the following to the .htaccess file.
php_value disable_functions phpinfo
Add settings.php Value from External File
Another method that is described in settings.php, for use with hash_salt, is to place the value in a file outside of the document root and retrieve it in your settings.php. This approach can also be used for other values in modules, etc.
$settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
Use Contributed Modules for Key Management
The Easy Encryption module provides a zero-configuration solution for securing sensitive data and credentials at rest in Drupal. Easy Encryption uses the Key module under the hood (the default Sodium sealed box encryptor resolves its key material through it), and it also provides integration for storing encrypted data as Key entities. Outside of those two touchpoints, though, the module stands on its own. It has grown into a standalone, pluggable encryption abstraction for Drupal that can work independently of the Key module entirely.
The Encrypt module is a Drupal module that provides an application programming interface (API) for performing symmetric or asymmetric encryption. It allows integrating modules to encrypt and decrypt data in a standardized manner. It doesn't provide any user-facing features of its own, aside from administration pages to manage encryption profiles.
The Key module provides the ability to improve Drupal security by managing sensitive keys (such as API and encryption keys). It gives site administrators the ability to define how and where keys are stored, which allows the option of a high level of security and allows sites to meet regulatory or compliance requirements.
Other modules integrate with the Key module to connect with encrypted key management providers. One of the available modules is AWS Secrets Manager. The module requires the user to subscribe to the service that handles the key management.
Key Management Providers
Other Modules
The HashiCorp Vault module is intended to provide Core APIs for HashiCorp Vault integration. The module is in development and there is an alpha release as of 6 March 2022.
Additional Reading
- "The 'Key' to Drupal Security" blog post written by one of the developers of the Lockr service.
- "Symmetric vs. Asymmetric Encryption: What's the Difference?" blog post by Trenton Systems.
- "Best practices for securely using API keys" from Google.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
